How to use wireguard+phantun correctly in openwrt

[lfznnzq]

I am a novice and I don’t know much about these things. I hope everyone can understand the English translated by Google. Thanks.

The official openwrt 21.02.5 firmware used by the two routers, the separate configuration of wireguard has successfully connected and achieved mutual access between the two LANs, but the connection cannot be successful after adding phantun.

Below is my configuration

A router's wireguard

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxx'
	option listen_port '20480'
	list addresses '10.0.0.10'
	option mtu '1300'

config wireguard_wg0
	option public_key 'xxx'
	list allowed_ips '192.168.20.0/24'
	list allowed_ips '10.0.0.0/24'
	option route_allowed_ips '1'
	option persistent_keepalive '25'

A router's phantun
RUST_LOG=info phantun_server --local 10240 --remote 127.0.0.1:20480

B router's wireguard

config interface 'wg0'
	option proto 'wireguard'
	option private_key 'xxx'
	list addresses '10.0.0.20'
	option mtu '1300'

config wireguard_wg0
	option public_key 'xxx'
	list allowed_ips '192.168.10.0/24'
	list allowed_ips '10.0.0.0/24'
	option route_allowed_ips '1'
	option endpoint_host '127.0.0.1'
	option endpoint_port '20480'
	option persistent_keepalive '25'

B router's phantun
RUST_LOG=info phantun_client --local 127.0.0.1:20480 --remote example.com:10240

Now, how should I use the iptables command?
Or a full configuration tutorial?

Thanks again

[wenewzhang]

i want to know the same,
phantun 's readme show the example of work on Lan,
but the internet is very different.

[terrytw]

Check this out:
https://www.vinoca.org/openwrtpei-zhi-tou-ming-dai-li/
It worked for me.

[ibeange]

@vincascm 首先感谢帮助。

• 我不太明白phantun为什么分有客户端和服务端，我在openwrt上部署服务端之后，想要在手机上使用wireguard还要在手机上安装phantun客户端吗？还是说server和client都要在openwrt上部署？
• 在你博客教程中写到将一个phtantun文件放入了/usr/local/bin文件夹下，这个phantun是server端吗？而且我的openwrt并没有/usr/local文件夹，
• x.com是本机宽带IP通过DDNS指向的域名吗？
• 博客中提到的命令都无法在我的openwrt上运行，例如nft list table inet nat，会提示Error: No such file or directory list table inet nat

我主要是想使用phantun伪装wireguard的UDP流量，实现不限速远程访问局域网，希望你能解答一些我的疑惑，感谢。

[vincascm]

@ibeange as you mentioned, I think frp and other similar tools are more suitable. to connect to the peer of WireGuard, the premise is that the peer has an internet ip.

[ibeange]

@vincascm I have an internet IP and a domain that points to that IP. I can use wireguard normally, but the connection speed is not high enough due to the Internet carrier's QOS policy,so I want to use phantun to disguise TCP traffic.

[vincascm]

@ibeange Phantun is a tunnel, and its server and WireGuard's "server" are on the same machine. The client needs to be installed on another machine, because this special data packet requires a specific program to process.
As I wrote in my blog, x.com points to this server machine.
By convention, the binary file after the program is installed is generally in /usr/bin, and /usr/local/bin is used here for the convenience of distinguish whether it is installed manually.
When you configure the nft rules related to Phantun, the nft list... will not report an error

[xiaoun001]

I am one of the earliest users of phantun and a firm supporter of her. The author also gave me very detailed and patient answers to my questions. I am very grateful and sincerely hope that this software will get better and better. .
A long time ago, I spent a long time implementing phantun connection with the server in arm architecture and x86 architecture openwrt. It was also a process of repeated failures. Indeed, it is much more difficult to implement phantun connection on openwrt. Currently in use. The phantun in my openwrt has been running stably for at least a year. The phantun + wireguard based on ipv6 is, in one word, stable and fast.
Based on incomplete memory, there are several points to note (pit points). For the phantun interface in openwrt to run stably, it needs to be started before the wireguard interface is started, otherwise wg0 will have no data. The method I took was to write a phantun system daemon in /etc/init.d and let its system network be executed before. After more than a year, it became very stable. In addition, our home broadband and IP dynamically change, which may cause problems and require reconnection. I tried to write an automatic detection script in cron, which automatically detects regularly and rebuilds immediately after failure. It's also possible that it's a firewall port problem, a NAT problem, or a port mapping problem. I put both the phantun interface and wg0 in the lan area of ​​the firewall, and it's much simpler.

[vincascm]

@xiaoun001 As a gateway, when the IP is reassigned (which could be after 7 days, depending on the ISP), it may change the NAT mapping address and indeed cause connection issues. In such cases, restarting the client is the only solution. If you can clearly describe the problem, I suggest opening a separate issue to address it.

[dndx]

@vincascm This won't be an issue if the NAT device actually sends RST after connection tracking is broken and terminates unknown TCP mappings.

Maybe this could be improved with heartbeat support like #93. I can take a closer look at that PR later.

[vincascm]

Indeed, very much looking forward to it.

[MisakaMikoto-35c5]

Finally I found a solution for my environment. My network structure:

(OpenWRT 23.05) <-> (Phantun Client) <-> (ISP with CGNAT) <-> (Phantun Server) <-> (Ubuntu server)

On Ubuntu, I'm using this script to install Phantun and use firewalld to manage NAT rules.

On OpenWRT, I created following firewall rules:

cat >> /etc/config/firewall << EOF

config nat
        option name 'Phantun NAT'
        list proto 'all'
        option src '*'
        option src_ip '169.254.0.0/16'
        option target 'MASQUERADE'

config zone
        option name 'Phantun'
        option input 'DROP'
        option output 'DROP'
        option forward 'ACCEPT'
        list subnet '169.254.0.0/16'
        option auto_helper '0'

config forwarding
        option src 'Phantun'
        option dest 'wan'
EOF

And add this command to /etc/rc.local then reboot your router:

nohup /usr/sbin/phantun_client --local 127.114.51.4:1919 --remote <change it> --tun-local 169.254.0.0 --tun-peer 169.254.0.1 --ipv4-only > /dev/null 2>&1 &

Finally I can see some network activities in a configured wireguard interface. So I think this work for me. I'm using 169.254.0.0/16 because this IP range is can't be route in internet, so you can change it for yourself.

[Gitfoe]

I've encountered my own challenges while attempting to configure Phantun + WireGuard on my OpenWrt router. Most of the resources I discovered were tailored to establishing a site-to-site VPN, rather than a full-tunnel VPN. Nevertheless, I managed to devise a working configuration and have compiled a guide to assist others in setting this up on their own. You can find my guide on GitHub Gist here. I hope anyone finds it useful.